Help protect your files using BitLocker Drive Encryption

You can use BitLocker Drive Encryption to help protect your files on an entire drive. BitLocker can help block hackers from accessing the system files they rely on to discover your password, or from accessing your drive by physically removing it from your PC and installing it in a different one. You can still sign in to Windows and use your files as you normally would.

If you use a screen reader app, you won’t be able to hear BitLocker screens that appear before the Welcome screen, such as the BitLocker PIN entry screen or the BitLocker recovery screen.

Open BitLocker Drive Encryption by swiping in from the right edge of the screen, tapping Search (or if you're using a mouse, pointing to the upper-right corner of the screen, moving the mouse pointer down, and then clicking Search), entering BitLocker in the search box, tapping or clicking Settings, and then tapping or clicking BitLocker Drive Encryption.

Tap or click Turn on BitLocker. You might be asked for an admin password or to confirm your choice.

You can temporarily suspend BitLocker—for example, if you need to install new software that BitLocker might otherwise block—and then resume it when you're ready. Or you can turn off BitLocker entirely, which decrypts the drive and removes all BitLocker protection.

Open BitLocker Drive Encryption by swiping in from the right edge of the screen, tapping Search (or if you're using a mouse, pointing to the upper-right corner of the screen, moving the mouse pointer down, and then clicking Search), entering BitLocker in the search box, tapping or clicking Settings, and then tapping or clicking BitLocker Drive Encryption.

Do one of the following:

To temporarily suspend BitLocker, tap or click Suspend protection. You might be asked for an admin password or to confirm your choice.
Once you've done that, tap or click Yes.

To turn off BitLocker and decrypt the drive, tap or click the Turn off BitLocker link. You might be asked for an admin password or to confirm your choice.
Once you've done that, tap or click the Turn off BitLocker button.

What happens if I add more files to an encrypted drive?

New files are automatically encrypted when you add them to a drive that uses BitLocker. However, if you copy these files to another drive or a different PC, they're automatically decrypted.

Where can I use BitLocker?

BitLocker can encrypt the drive Windows is installed on (the operating system drive) as well as fixed data drives (such as internal hard drives). You can also use BitLocker To Go to help protect all files stored on a removable data drive (such as an external hard drive or USB flash drive).

BitLocker checks the PC during startup for any conditions that could represent a security risk (for example, a change to the BIOS software that starts the operating system when you turn on your PC, or changes to any startup files). If a potential security risk is detected, BitLocker will lock the operating system drive and you'll need a special BitLocker recovery key to unlock it.

You can choose how you want to unlock an encrypted data drive: with a password or a smart card. For fixed data drives, you can also set the drive to automatically unlock when you unlock the PC, if you prefer, as long as the operating system drive is BitLocker-protected. For removable data drives encrypted with BitLocker To Go, you can set the drive to automatically unlock when you sign in to the PC.

You can use BitLocker Drive Encryption to help protect all files stored on the drive Windows is installed on (operating system drive) and on fixed data drives (such as internal hard drives). Your can use BitLocker To Go to help protect all files stored on removable data drives (such as external hard drives or USB flash drives).

Unlike Encrypting File System (EFS), which enables you to encrypt individual files, BitLocker encrypts the entire drive. You can log on and work with your files normally, but BitLocker can help block hackers from accessing the system files they rely on to discover your password, or from accessing your drive by removing it from your computer and installing it in a different computer.

When you add new files to a drive that is encrypted with BitLocker, BitLocker encrypts them automatically. Files remain encrypted only while they are stored in the encrypted drive. Files copied to another drive or computer are decrypted. If you share files with other users, such as through a network, these files are encrypted while stored on the encrypted drive, but they can be accessed normally by authorized users.

If you encrypt the operating system drive, BitLocker checks the computer during startup for any conditions that could represent a security risk (for example, a change to the BIOS or changes to any startup files). If a potential security risk is detected, BitLocker will lock the operating system drive and require a special BitLocker recovery key to unlock it. Make sure that you create this recovery key when you turn on BitLocker for the first time; otherwise, you could permanently lose access to your files. If your computer has the Trusted Platform Module (TPM) chip, BitLocker uses it to seal the keys that are used to unlock the encrypted operating system drive. When you start your computer, BitLocker asks the TPM for the keys to the drive and unlocks it.

If you encrypt data drives (fixed or removable), you can unlock an encrypted drive with a password or a smart card, or set the drive to automatically unlock when you log on to the computer.

You can turn off BitLocker at any time, either temporarily by suspending it, or permanently by decrypting the drive.

Note

The ability to encrypt drives using BitLocker Drive Encryption is only available in Windows 7 Ultimate and Enterprise editions.

If you use a screen reader app, you won’t be able to hear BitLocker screens that appear before the Welcome screen, such as the BitLocker PIN entry screen or the BitLocker recovery screen.

Turning on BitLocker Drive Encryption (BitLocker) can help protect all files stored on the drive Windows is installed on, and on data drives on the same computer.

Unlike Encrypting File System (EFS), which enables you to encrypt individual files, BitLocker encrypts the entire drive, including the Windows system files necessary for startup and logon. You can log on and work with your files normally, but BitLocker can help block hackers from accessing the system files they rely on to discover your password, or access your hard disk by removing it from your computer and installing it in a different computer. BitLocker can only help protect files that are stored on the drive that Windows is installed on, and on data drives on the same computer. If you want to encrypt a data drive, you'll also need to encrypt the drive Windows is installed on since the key for the data drive is stored on the Windows drive. If you store files and folders on other drives, such as USB flash drives or external hard drives, you can help protect them with EFS. You can also encrypt files and folders on BitLocker-encrypted drives for further security on a shared computer. For more information, see What is Encrypting File System (EFS)?

When you add new files to the drive with BitLocker, BitLocker encrypts them automatically. Files remain encrypted only while they are stored in an encrypted drive. Files copied to an unencrypted drive or another computer are decrypted. If you share files with other users, such as through a network, these files are encrypted while stored on the encrypted drive, but they can be accessed normally by authorized users.

During computer startup, if BitLocker detects a system condition that could represent a security risk (for example, disk errors, a change to the BIOS, or changes to any startup files), it will lock the drive and require a special BitLocker recovery password to unlock it. Make sure that you create this recovery password when you turn on BitLocker for the first time; otherwise, you could permanently lose access to your files.

BitLocker typically uses the Trusted Platform Module (TPM) chip in your computer to store the keys that are used to unlock the encrypted hard disk. When you log on to your computer, BitLocker asks the TPM for the keys to the hard disk and unlocks it. Because the TPM provides BitLocker with the keys immediately after you've logged on to your computer, the security of your computer relies on the strength of your logon password. If you have a strong password that prevents unauthorized users from logging on, the BitLocker-protected hard disk will remain locked.

For information about creating strong passwords, see Tips for creating a strong password. To learn how to increase your computer's security by requiring a password to clear away the screen saver, see Use your Windows password for your screen saver password. If your computer is managed by Group Policy, you might be able to use a USB device or startup key which can provide additional logon security. Ask your administrator about using BitLocker with a USB device or startup key.

Open Bitlocker Drive Encryption by clicking the Start button , clicking Control Panel, clicking Security, and then clicking Bitlocker Drive Encryption.‌ If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

Click Turn On BitLocker. This opens the BitLocker setup wizard. Follow the instructions in the wizard.

Open Bitlocker Drive Encryption by clicking the Start button , clicking Control Panel, clicking Security, and then clicking Bitlocker Drive Encryption.‌ If you are prompted for an administrator password or confirmation, type the password or provide confirmation.